The Library
Analyzing and patching SPEKE in ISO/IEC
Tools
Hao, Feng, Metere, Roberto, Shahandashti, Siamak F. and Dong, Changyu (2018) Analyzing and patching SPEKE in ISO/IEC. IEEE Transactions on Information Forensics and Security, 13 (11). pp. 2844-2855. doi:10.1109/TIFS.2018.2832984 ISSN 1556-6013.
|
PDF
WRAP-analyzing-patching-SPEKE-Hao-2018.pdf - Accepted Version - Requires a PDF viewer. Download (988Kb) | Preview |
Official URL: http://dx.doi.org/10.1109/TIFS.2018.2832984
Abstract
Simple password exponential key exchange (SPEKE) is a well-known password authenticated key exchange protocol that has been used in Blackberry phones for secure messaging and Entrust's TruePass end-to-end web products. It has also been included into international standards such as ISO/IEC 11770-4 and IEEE P1363.2. In this paper, we analyze the SPEKE protocol as specified in the ISO/IEC and IEEE standards. We identify that the protocol is vulnerable to two new attacks: an impersonation attack that allows an attacker to impersonate a user without knowing the password by launching two parallel sessions with the victim, and a key-malleability attack that allows a man-in-the-middle to manipulate the session key without being detected by the end users. Both attacks have been acknowledged by the technical committee of ISO/IEC SC 27 and ISO/IEC 11770-4 revised as a result. We propose a patched SPEKE called P-SPEKE and present a formal analysis in the Applied Pi Calculus using ProVerif to show that the proposed patch prevents both attacks. The proposed patch has been included into the latest revision of ISO/IEC 11770-4 published in 2017.
Item Type: | Journal Article | |||||||||
---|---|---|---|---|---|---|---|---|---|---|
Subjects: | Q Science > QA Mathematics > QA76 Electronic computers. Computer science. Computer software | |||||||||
Divisions: | Faculty of Science, Engineering and Medicine > Science > Computer Science | |||||||||
Library of Congress Subject Headings (LCSH): | Computers -- Access control -- Passwords, Institute of electrical and electronics engineers -- Standards, International Standardizing Organization | |||||||||
Journal or Publication Title: | IEEE Transactions on Information Forensics and Security | |||||||||
Publisher: | IEEE | |||||||||
ISSN: | 1556-6013 | |||||||||
Official Date: | November 2018 | |||||||||
Dates: |
|
|||||||||
Volume: | 13 | |||||||||
Number: | 11 | |||||||||
Page Range: | pp. 2844-2855 | |||||||||
DOI: | 10.1109/TIFS.2018.2832984 | |||||||||
Status: | Peer Reviewed | |||||||||
Publication Status: | Published | |||||||||
Reuse Statement (publisher, data, author rights): | © 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. | |||||||||
Access rights to Published version: | Restricted or Subscription Access | |||||||||
Date of first compliant deposit: | 5 December 2018 | |||||||||
Date of first compliant Open Access: | 5 December 2018 | |||||||||
RIOXX Funder/Project Grant: |
|
|||||||||
Related URLs: |
Request changes or add full text files to a record
Repository staff actions (login required)
View Item |
Downloads
Downloads per month over past year